Analysis

  • max time kernel
    115s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-02-2024 17:11

General

  • Target

    ac6a30beef122bf03b58cdf3ca44da99.xls

  • Size

    133KB

  • MD5

    ac6a30beef122bf03b58cdf3ca44da99

  • SHA1

    acbb0ba349920edefa49b21a8c46160f14f41c24

  • SHA256

    42cc135bba7641d534f8588b94f13f838d9bf29f9b2b02990f1df1d76f02b8cf

  • SHA512

    1e67894392e7325032956b2b2492f574c6a9f72adf529537a6594110410b3560fe2bb14136cdcc81101e463dfc40438652c459487fd04f3dd24172aa5a63a7df

  • SSDEEP

    1536:F444SBBv4RVtUj0sqN4UnWHkLWX/6xBSu9sqIg2GHArAIVR+TtXWVbrzQ7ITkApK:NuzHArAFWVbrzQ7ITkylKDRvqTc

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac6a30beef122bf03b58cdf3ca44da99.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
      2⤵
      • Process spawned unexpected child process
      PID:4728
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
      2⤵
      • Process spawned unexpected child process
      PID:2732
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\system32\attrib.exe
        attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
        3⤵
        • Views/modifies file attributes
        PID:1324
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4868 --field-trial-handle=2276,i,1205556100727695622,5044463180471657307,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3152

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2424-0-0x00007FF9D4CD0000-0x00007FF9D4CE0000-memory.dmp

      Filesize

      64KB

    • memory/2424-3-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-2-0x00007FF9D4CD0000-0x00007FF9D4CE0000-memory.dmp

      Filesize

      64KB

    • memory/2424-1-0x00007FF9D4CD0000-0x00007FF9D4CE0000-memory.dmp

      Filesize

      64KB

    • memory/2424-4-0x00007FF9D4CD0000-0x00007FF9D4CE0000-memory.dmp

      Filesize

      64KB

    • memory/2424-5-0x00007FF9D4CD0000-0x00007FF9D4CE0000-memory.dmp

      Filesize

      64KB

    • memory/2424-6-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-7-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-8-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-9-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-10-0x00007FF9D2940000-0x00007FF9D2950000-memory.dmp

      Filesize

      64KB

    • memory/2424-11-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-12-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-13-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-15-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-16-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-17-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-14-0x00007FF9D2940000-0x00007FF9D2950000-memory.dmp

      Filesize

      64KB

    • memory/2424-18-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-19-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-20-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-21-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-22-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-23-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-40-0x000001F76F9E0000-0x000001F7709B0000-memory.dmp

      Filesize

      15.8MB

    • memory/2424-48-0x000001F76F9E0000-0x000001F7709B0000-memory.dmp

      Filesize

      15.8MB

    • memory/2424-53-0x000001F76F9E0000-0x000001F7709B0000-memory.dmp

      Filesize

      15.8MB

    • memory/2424-57-0x000001F76F9E0000-0x000001F7709B0000-memory.dmp

      Filesize

      15.8MB

    • memory/2424-59-0x000001F75FB60000-0x000001F75FD60000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-60-0x000001F76F9E0000-0x000001F7709B0000-memory.dmp

      Filesize

      15.8MB

    • memory/2424-61-0x000001F75FB60000-0x000001F75FD60000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-62-0x000001F75FB60000-0x000001F75FD60000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-69-0x000001F75FB60000-0x000001F75FD60000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-80-0x000001F76F9E0000-0x000001F7709B0000-memory.dmp

      Filesize

      15.8MB

    • memory/2424-81-0x000001F75FB60000-0x000001F75FD60000-memory.dmp

      Filesize

      2.0MB

    • memory/2424-97-0x000001F76F9E0000-0x000001F7709B0000-memory.dmp

      Filesize

      15.8MB

    • memory/2424-98-0x00007FFA14C50000-0x00007FFA14E45000-memory.dmp

      Filesize

      2.0MB